ISO 27001 Cerification and Audit Cost Guide
ISO 27001 FAQs
This FAQ addresses frequently asked questions regarding ISO 27001, what it is, how to get certified, and the costs involved in attaining certification.
We are always happy to answer questions, so feel free to contact one of our ISO 27001 experts anytime.
An Information Security Management System (ISMS) is a systematic approach to ensuring that critical risks to information assets are reduced to a level consistent with management’s objectives. In essence, it is a comprehensive process for managing information security.
ISO-27001 is a certifiable international standard for the operation of an Information Security Management System (ISMS). It is a way for someone to provide independent, third-party validation (attestation) that they are managing information security risks in accordance with prevailing best practice.
ISO-27002 is a collection of “best practices” (e.g., information security controls) for managing information security risks. An ISO-27001 ISMS utilizes the ISO-27002 controls as mechanisms to reduce risks to critical information security assets. In essence,ISO-27001 certification “includes” or encompasses ISO-27002 compliance.
There are three costs to becoming certified: internal costs (e.g., resource cost), consulting costs for preparation, and certification costs. The costs can vary notably based on the ISMS scope, ISMS gap assessment, resource capabilities, and the project schedule. Learn more about ISO-27001 Certification Costs.
Generally the entire process (preparation and certification) takes 6 to 18 months for most PivotPoint clients. For factors that influence this timeframe, see this blog post.
You are required to have a registrar audit your ISMS each year. In each of the first 2 years after your certification you will require a “surveillance” audit. In the 3rd year you will require another “certification” audit. The cost of the surveillance audit is generally 60 to 80% of the certification audit. You will also need to conduct an “Internal ISMS Audit” annually. While you can do this with internal staff, most organizations favor having an independent entity conduct the audit.
It’s important to note that you may end up pursuing more than one of these “attestation standards”. So the question may be “Which should I pursue first?” As the primary business driver for pursuing these standards is “attestation” for your clients, the answer may be as simple as understanding what your clients require. If you expect to pursue more than one “attestation certification” – separating the building of the ISMS from the choice of attestation/certification is the best approach.
ISO 27001 is a specification for an information security management system (ISMS) and includes information concerning business continuity management as it pertains to the continuity of the ISMS. ISO 22301 provides a broader specification for a full blown Business Continuity Management System (BCMS) that addresses the continuity beyond the ISMS. The Management System component of the standards are completely compatible with one another.
This depends on the structure of the organization seeking certification. Most organizations choose to ISO-27001 certify the portions of the organization which process sensitive client data.
ISO-27001 does require a fair amount of documentation of the ISMS itself and evidence that the ISMS is operating effectively. Generally, we find that the additional work effort to produce and maintain the documentation is more than offset by the time saved by reductions in security incidents and third party audits.
An organization with ISO-27001 certification will benefit from the savings of increased efficiency that a well maintained ISMS provides. We also note that companies with an ISO-27001 certificate save a considerable amount of time providing documentation of the ISMS (e.g. questionnaires) to their current and potential clients. Having an ISO-27001 certificate can also be a significant competitive advantage over other companies providing the same services that you do.
An organization that is accredited by a known accrediting body for its competence to audit and issue certifications that confirm an organization meets the requirements of a specific standard (e.g. ISO 27001 or ISO 22301).
When choosing a certification body, don’t just compare prices. You should review several different certification bodies’ proposals to see what they include. There are some additional factors that should be considered during the decision-making process:
- Accreditation. Anyone can say they’re ISO 27001 certified, but not everyone can say the same about their accreditation status. You’ll want to check to see if the certification body has accreditation before going further.
- Experience. Ask for a list of companies that the certification body has audited previously. Don’t settle with someone who has little to no experience.
- Flexibility. This doesn’t mean you must choose someone who is local or someone who has a completely open schedule. It may prove difficult to change the date of the audit if travel arrangements have been made previously, especially if something happens beyond your control.
- Integrated Audit. While you may only be considering ISO-27001, the organization may want to implement additional certifications in the future, such as ISO-22301, HITRUST, or PCI. In these instances, the certification body can perform an integrated audit, which will save you both time and money.
- Language. This goes hand and hand with Flexibility. If your certification body does provide a translator, the audit may go smoother if they already speak your language. Documents will be interpreted easily, and the relationship can be better fostered in the absence of any difference in language.
- Reputation. While all registrars are accredited, there can be a delta in the quality of the auditor and the audit process. Some registrars have notably better reputations than others.
- Specialization. Vertical expertise can be a significant advantage. If you are a law firm seeking certification, selecting a certification body specializing in financial or medical sectors may result in you spending a lot of time explaining your business. Worse, receiving non-conformities based on their lack of understanding.
As with most major enterprise related decisions, convincing management to pursue ISO-27001 certification could be an uphill battle. To aid you in the process, you will need to have two vital components: a list of benefits to the business that apply directly to your company, and the ability to communicate those benefits to those at the executive level in a way that they can easily understand.
Three benefits that exalt the implementation of ISO-27001 to executives:
- Certification is a statement to everyone in the company. Whether your goals are based on customer satisfaction or objectives with production, with a certification in place, you are proving that your company is committed to meeting and/or exceeding those objectives.
- If you are in an industry that relies on that the transmission or storage of clients’ sensitive data, ISO-27001 provides you with the marketing leverage to set you apart from your competitors.
- ISO-27001 will significantly reduce the likelihood and impact of a data breach. With average breaches costing ~$4M, ISO-27001 is the best way to protect your company from a potentially crippling loss.
Maintaining your certification is reasonably simple:
- Operate the ISMS as documented. Most importantly take a risk-centric approach to managing information security risk.
- Update the controls you have in place (e.g., your Policies and Procedures) as required by changes in risk.
- Improve your Information Security year over year in a measurable way. Continuous IMporvement is a requirement of the standard.
- Conduct an ISMS Internal Audit each year (or at different points throughout the year to demonstrate that management is committed to ensuring the effectiveness of the ISMS.
- Undergo an annual surveillance (or re-certification) audit by the registrar each year to maintain your certificate.
ISO-27001 does not explicitly require that an individual in your organization has the title of CISO. However, having someone with the senior level expertise required to establish and maintain the enterprise’s security strategy and act as the primary liaise to interest Third Parties is beneficial. Organizations that doesn’t have the resources or the need for a full-time CISO may choose to leverage an outsourced CISO on a temporary role until their needs evolve.